secure-payment-confirmation icon indicating copy to clipboard operation
secure-payment-confirmation copied to clipboard

Published 20 hours ago verified publisher icon w3c

Impact of passkeys on SPC (formerly synced credentials)

Open ianbjacobs opened this issue 3 years ago • 6 comments

At today's SPC task force call [1] we discussed progress in the Web Authentication WG around the issue of synced credentials [2]. (I note from [2] that terminology for this feature may change.)

This issue is about the impact of those changes on SPC. From today's discussion, my initial sense is that:

  • The API surface may not need to change (inputs or outputs).
  • The API should take the new extension into account in the extensions member of SecurePaymentConfirmationRequest and any algorithms that touch on extensions.

Under section 8 Relying Party Operations we will likely want to either enhance 8.1 (Verifying an Authentication Assertion) or introduce new good practice about interpreting the output. In particular: what should an RP do when the extension includes a new device public key that the RP has never seen before (e.g., in terms of risk assessment, recording information on the server, etc.)?

Ian

cc @ve7jtb, @rlin1, @equalsJeffH

[1] https://www.w3.org/2022/02/14-wpwg-spc-minutes [2] https://github.com/w3c/webauthn/issues/1665 [3] https://w3c.github.io/secure-payment-confirmation/#sctn-securepaymentconfirmationrequest-dictionary

ianbjacobs avatar Feb 14 '22 18:02 ianbjacobs

As a forewarning, I likely have close to zero context here, including understanding of proper terms, but this is the scenario that popped into my head when trying to understand this:

I have a relationship with, for example, Visa. I use my Visa card in a ton of places. I often might want to sever my relationship with an individual merchant - cellphone, TV, gym, or something - and literally never would I want to accidentally sever my relationship with Visa in that context, thus stopping payments on my electricity, water, childcare, home internet, etc. Doing so would be an unmitigated disaster.

In other words, if I've used a provider (stripe, etc) via "store A", and then later, go to use "store B" which also happens to use the same provider - I very much might want to exert GDPR rights and/or sever my relationship with store B, but under no circumstances would i want that to accidentally sever my relationship with store A.

ljharb avatar Mar 17 '22 16:03 ljharb

See FIDO white paper related to multi-device credentials: https://fidoalliance.org/white-paper-multi-device-fido-credentials/

ianbjacobs avatar Apr 19 '22 14:04 ianbjacobs

Based on discussion about: https://github.com/w3c/secure-payment-confirmation/pull/183#discussion_r861788122

For future discussion: SPC talks about "the current device." Based on CABLE and synched credentials we may wish to revisit that phrase in the specification to talk about context or environment.

ianbjacobs avatar Apr 29 '22 13:04 ianbjacobs

Since WebAuthn is considering handling the multi-device credential/single-device key distinction in WebAuthn (see w3c/webauthn/pull/1663 and w3c/webauthn/pull/1695), we might just leverage that - without having the need to change the SPC spec. However, adding that topic to considerations would be good.

rlin1 avatar Jun 09 '22 09:06 rlin1

Discussed today with WebAuthn WG [1]. Things are still in flux so no concrete suggestions at this time.

[1] https://www.w3.org/2023/05/03-webauthn-irc

ianbjacobs avatar May 03 '23 19:05 ianbjacobs

Keeping tabs here on the relationship of this pull request to SPC: https://github.com/w3c/webauthn/pull/1957

ianbjacobs avatar Dec 05 '23 19:12 ianbjacobs